Thinking Thin

Many thin clients have no support whatsoever for local audio from a Linux
terminal server. Those that do typically have only ESD. This requires
that the applications be configured to use ESD (most have this option,
but not all). The following also must be added to the .bash_profile of
thin-client users to identify the IP:port of the thin client's ESD
server:

export ESPEAKER=${DISPLAY%%:*}:16001

Accessing Local Storage

Because thin clients have no built-in drives, the only local storage
of interest is USB-connected. We want locally inserted devices to be
accessible from a desktop icon. But as the desktop is running on
the terminal server, we need to make the terminal server see these
local files.

This requires a thin client with a local NFS server configured to
automatically detect and share USB devices. On the terminal server,
we configure the autofs dæmon to detect these remotely
mounted devices automatically and mount them locally. Create a directory /etc/auto
on the terminal server. For each user that is allowed to access local
storage, create a file /etc/auto/username with the following contents:

usb -rw,soft,intr 192.168.0.64:/autofs/usb0

Replace 192.168.0.64 with the thin client's IP address, and the
path /autofs/usb0 will vary by manufacturer. Create a directory
/home/username/media, then add the following to /etc/auto.master:

/home/username/media /etc/auto/username --timeout=15

Finally, create a symlink on username's desktop to
/home/username/media/usb. The user now can insert a USB drive, and
clicking the symlink will cause autofs to mount it on the terminal server.

This method works and has been used in real deployments, but it has an
inherent limitation. The thin clients must have static IPs, and each
user is tied to an IP address. In cases where users need to float between
stations, this will not be adequate.

Restricting Physical Login Locations

In many cases, it is actually required that user access be restricted
to specific locations. This is easily accomplished using the PAM login
access control table. First, the thin client must be given a static IP
address. Then, add the following entry to /etc/security/access.conf on
the terminal server:

-:username:ALL EXCEPT 192.168.0.64

The format of this file is permissions:users:origins. So the above
example removes (-) permission for user username from all addresses
except 192.168.0.64.

Besides the obvious security application, this is also useful for public-access thin clients. While creating a separate generic account for each
thin client (user1, user2 and so on) gives each one a separate home directory
so users will not trip over each other, it is easy to log in accidentally
using the wrong generic account at a given workstation. This procedure
prevents that.

Conclusions

Thin clients have matured and are ready for widespread use. Their benefits
are too compelling to ignore, and most have a commitment to Linux as
their primary platform. Unfortunately, most are myopically focused on
MS Windows terminal servers and are neglecting support for Linux on the
server side. As they become more widely deployed, the ironic possibility
of Linux systems becoming an impediment to the deployment of open source
on the desktop is very real.

Some specific items that must be addressed are:

Thin clients are too proprietary. Open tools are needed for building
Flash images and other system management tasks.

Universal support for full-duplex, low-latency audio.

Secure, easy and mobile access to local USB storage devices.

Support for local non-PostScript printers.

Encryption and compression.

The solution is likely NX or something very similar—something that
retains the modularity of the system while integrating the components
into a cohesive whole. I have not yet seen a thin client with a fully
functional NX client.